From c00bf8c96a97190f3886163f5cb2a807f2ea3eb3 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Sat, 20 Feb 2016 23:01:27 -0800
Subject: [PATCH] dll: FspFileSystemDispatcherThread: sanitize response on
 return from user-mode file system

---
 src/dll/dispatch.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/dll/dispatch.c b/src/dll/dispatch.c
index 81cd4234..36d4bd44 100644
--- a/src/dll/dispatch.c
+++ b/src/dll/dispatch.c
@@ -68,7 +68,7 @@ static DWORD WINAPI FspFileSystemDispatcherThread(PVOID FileSystem0)
 {
     FSP_FILE_SYSTEM *FileSystem = FileSystem0;
     NTSTATUS Result;
-    SIZE_T RequestSize;
+    SIZE_T RequestSize, ResponseSize;
     FSP_FSCTL_TRANSACT_REQ *Request = 0;
     FSP_FSCTL_TRANSACT_RSP *Response = 0;
     HANDLE DispatcherThread = 0;
@@ -122,6 +122,21 @@ static DWORD WINAPI FspFileSystemDispatcherThread(PVOID FileSystem0)
         }
         else
             Response->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
+
+        ResponseSize = FSP_FSCTL_DEFAULT_ALIGN_UP(Response->Size);
+        if (FSP_FSCTL_TRANSACT_RSP_SIZEMAX < ResponseSize/* should NOT happen */)
+        {
+            memset(Response, 0, sizeof *Response);
+            Response->Size = sizeof *Response;
+            Response->Kind = Request->Kind;
+            Response->Hint = Request->Hint;
+            Response->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
+        }
+        else
+        {
+            memset((PUINT8)Response + Response->Size, 0, ResponseSize - Response->Size);
+            Response->Size = (UINT16)ResponseSize;
+        }
     }
 
 exit: